Posted
by
Soulskill
on Sunday September 05, 2010 @01:20AM
from the my-name-is-michael-westen dept.

crimeandpunishment writes "Does the battle over the Blackberry ban in the United Arab Emirates have its roots in a spy story? Dubai's police chief says concern over espionage (specifically, by the US and Israel) led to the decision to limit BlackBerry services. The UAE says it will block BlackBerry email, messaging, and web services on October 11th unless it gets access to encrypted data. Comments by Lt. Gen. Dahi Khalfan Tamim are often seen as reflecting the views of Dubai's leadership, and would appear to indicate a very hard line in talks with Research in Motion."

So if RIM were a Chinese company, or better - Iranian, or say head quartered in Dubai, would you have any problems with BlackBerries being used by the majority of our government officials & heads of industry? These people have more than enough reason to be wary of our intelligence services.Without knowing any specifics, you should at least have a _little_ faith in their (our intel) capabilities. It's just a little silly to think the rest of the world is just a bunch of tinfoil hat types when it's no secret that we, and everybody else do pay people to collect information on, stuff. AKA spy.

You mean just like the US and UK governments do through legal or extra-legal means? Installing data taps in ISP and telephone providers operations centres? Demanding encryption keys from companies and private citizens alike?

Let's not pretend that these are tinpot developing nations - these guys are following the example set by #1!

And with APG [thialfihar.org] and k9mail [google.com] on Android [android.com] this is simple to use on a mobile phone. I bet the UAE (and the USA) government would have a fit if everyone sent emails with 4096 bit encryption.

What I was also going to say is: If I was a counter-intelligence chief and particularly one in a country where the government could force their will internally easier than the US, and I was concerned about a device being used to spy, I'd push to have the device banned. We'd work to get rid of them and run public education campaigns letting people know that they could be spied on using them. That is how to make it safe. I wouldn't ask for access to the data. That gets me nothing in terms of preventing others from using it.

It would be like upon finding out that someone had bugged private political offices going to the person who planted the bugs and not arresting them, but saying "It's cool, just let me listen in too." If I wanted to stop the spying, I'd remove the bugs and arrest the person who placed them.

If you do that, you aren't concerned about stopping spying, you are the one who wants to do the spying.

Western intelligence services already have access to Blackberry servers - and had for years.

Beyond actual wiretap API interfaces provided by RIM there's also a net of broad packet-capture: as had been documented in detail here on Slashdot, AT&T had been running raw, spliced optical cables straight to the NSA headquarters since late 2001, carrying most of the raw IP traffic in the USA - including most unencrypted Blackberry emails as well.

Any new encrypted service that offers no access for intelligence and police you are hearing repeat stories about how they support terrorists or criminals - until they provide that access. (In most western countries companies are obliged to offer wire-tap access to authorities: Germany, UK and USA are amongst them)

The general public will rarely hear about actual usage of these broad wiretaps - as it's covered in secrecy with 'national security letters' and their legal equivalents.

While you might dismiss the UAE's concerns with "it's not a democracy", lets look at a similar case: India's problem with not being able to wiretap Blackberry phones - in the wake of the Bombay terrorist attacks that left 150+ people dead. (India's 911, so to speak.)

So how can we in the West deny India (the world's largest democracy) access to unencrypted Blackberry traffic for criminal, security and military reasons, without being hypocrites?

Conversely, how would western intelligence agencies react if Blackberry were run by an indian company and all the servers were in India, and India refused access to unencrypted emails?

Is it just me, or is it that since RIM's shown that they'd give ground to world governments (even if it's a face-saving maneuver, as some here have said), that everybody and their brother now wants access to their servers?

Seventy years? You think you have to go that far back to find a dictatorship? Read current events, and you can find one totalitarian state in existence right now in Korea. At least 3 repressive theocracies, in existence, right now. We can list some de facto dictatorships in the last 40 years, no matter the names they used for their nations and/or governments. Pol Pot and Idi Amin come readily to mind, as does Saddam Hussein.
Maybe people like yourself don't recognize a dictatorship unless and until they kill off a million or more people. Even so - Pol Pot's government should have caught your notice!

Well China is a fairly easy target to beatup. Seeing as how government officials have repeatedly been showing willingness to screw over one party, or a foreign business group for the benefit of someone they know. There, the government is just a partner of your business. If they aren't? You can bet your ass they'll be helping your competitor because you wern't in lock step with them.

Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Each secret key is stored only in the user's secure enterprise account (i.e., Microsoft® Exchange, IBM® Lotus® Domino® or Novell® GroupWise®) and on their BlackBerry smartphone and can be regenerated wirelessly by the user.

Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there."

Storing your private key in 2 places is traditionally a bad idea. Especially when one of those places is in the hands of a company which can be compelled to hand it over without telling you.

If the goal were to simply be able to send data securely between your secure enterprise account and your blackberry then your secure enterprise account should only have your public key with which to encrypt data it sends to you and your private key should remain in your hands and your hands alone.Idealy the secure enterprise account shouldn't be able to decrypt your data at all.

Now this could be for the sake of efficiency since public key crypto takes more cpu cycles but simply put if the US government asked for your private key, lets say they sent an NSL, RIM would be able to give it to them.That is not a secure system.A secure system would be one where only you have your private key and where blackberry merely validates certificates.In which case anyone who wanted to read your communications would have to perform an explicit man in the middle attack after strong-arming blackberry into signing a cert for them.

So to make it genuinely secure you'd have to use public key crypto and let people choose their own certificate service in which case it would be as secure as the cert service and devices themselves.

So you are saying that my private encryption key on my blackberry has been turned over to the US government?

Simply put, if they asked for it then yes, there's nothing stopping that.

1. AES and/or 3DES is secure and has not been broken by spook agencies.2. The implementation in BlackBerry phones does not have flaws, in particular, that it does not leak all or part of the key.3. The key-exchange used is secure and has no implementation flaws.4. There is no OTA triggered feature that causes the phone to reply with all or parts of the key.

You can probably figure out more assumptions.

You are correct that it's your security key. However, it is generated on RIM's hardware with RIM's software implementation.

What is the relation of shoes to this topic at all? Discussion was not about shoes and the TS was trying to make fun of the main topic.

Exactly. And public ridicule is often a very appropriate way to deal with such "Ban it all" approaches.

A local example: Here in Massachusetts, the courthouses have installed metal detectors in the doorways over the past few years. There were news reports explaining that a huge number of weapons (over 17,000 in one report) had been confiscated from people entering the courthouses in the previous year. Some local reporters got a bit curious about this and interviewed some of the managers, who were audibly reluctant to answer questions about just what kinds of weapons people had tried to bring into the courthouses. After a while, the interviewers finally got an admission of what these weapons were: "pocket knives, of the Swiss Army type".

That's right, they were classifying pocket knives as "weapons". And when pressed to admit this, they described such knives with phrasing intended to make them sound like military weapons.

It's quite common for security folks to use this sort of PR tactic to make it sound like they're detecting huge rates of attacks from people intent on doing harm. Similarly, when we've got the details of the ongoing huge numbers of computer "hacker attacks", it has sometimes turned out that they're counting incoming pings as "attacks", probes in the same class as port scans.

When we hear or read vague language like "spy tool" to describe threats, we should always suspect that they're including normal, everyday uses of tools in this catchall classification. We should try to learn more details of what they're really talking about, and how they're planning to deal with it. Ridiculing them by pointing out that shoes are also "spy tools" is quite appropriate, to highlight the misleading nature of that phrase. Similarly, pings are "hacker tools" and pocket knives are "Army type weapons". This sort of misuse of language is a standard propaganda tool that should be exposed.

Hmm... I'm not sure I agree with you. But recall you aren't given the option to import your own certificate. RIM controls that. Weakspot nmber 1.Also see that your private key is stored on the server automagically. Don't think this isn't accessible by the BES admin. And if you really want to get all the conspiracy theorists hot and bothered... remember that for foreign sales RIM is under no obligation to reveal to you if its encryption is purposefully altered to permit, say... a back door master key.But that's needlessly messy, since you have the cert control, and the private keys of all your users.

If I were a dictator or a repressing government, I'd do everything in my power to reject this techonolgy, but I doubt I could resist it. It is for this fact alone that if the CIA is NOT attempting to infiltrate via these methods, they are missing a great opportunity.

Except smartass, this time Israeli spies really did land in Dubai, use Blackberries, assassinated someone and left.

Dubai police can't decrypt the messages sent by the spies.

DO YOU SEE THE PROBLEM? OR ARE YOU TOO MUCH OF AN AMERIC*NT TO FIGURE IT OUT?

Yes, because of course a highly-trained and experienced Israeli hit squad couldn't have just used regular unencrypted voice telephony to complete their mission. They hardly needed Blackberries, assuming they really did what they're accused of (not saying they didn't, nor do I care for that matter.) All that will happen is that the Israelis, the next time they decide to whack someone in Dubai, won't bother using Blackberries. For that matter, now that they know the things are being monitored, they can probably use that fact for some misdirection. Consequently, this has no benefit to the UAE so far as a defense from Israeli spies is concerned. Not much good so far as internal threats go, I might add, now that everyone knows what's going on. So spare us your stupid anti-American commentary. This has nothing to do with the U.S., has nothing to do with Israel, this has to do with yet another government afraid of its own people.